The user-based access control implemented by SNMPv3 is based on contexts and user names, rather than on IP addresses and community strings. It is a partial implementation of the view-based access control model (VACM).

What is the first step you perform to configure an SNMPv3 user?

A. Configure server traps.

B. Configure the server group.*

C. Configure the server host.

D. Configure the remote engine ID.

Show (Hide) Explanation/Reference

The first step we need to do when configuring an SNMPv3 user is to configure the server group to enable authentication for members of a specified named access list via the “snmp-server group” command. For example:

Router(config)# snmp-server group MyGroup v3authaccess snmp_ac

In this example, the SNMP server group MyGroup is configured to enable user authentication for members of the named access list snmp_acl.

C. Its authentication and privacy algorithms are enabled without default values.*

D. It requires passwords at least eight characters in length.

Show (Hide) Explanation/Reference

Default values do not exist for authentication or privacy algorithms when you configure the SNMP commands. Also, no default passwords exist. The minimum length for a password is one character, although we recommend that you use at least eight characters for security. If you forget a password, you cannot recover it and must reconfigure the user. You can specify either a plain text password or a localized Message Digest 5 (MD5) digest.

Which command can you enter on a switch to determine the current SNMP security model?

A. snmp-server contact

B. show snmp pending

C. show snmp group*

D. show snmp engineID

Show (Hide) Explanation/Reference

Three security models are available: SNMPv1, SNMPv2c, and SNMPv3. The security model combined with the security level determine the security mechanism applied when the SNMP message is processed.

The command “show snmp group” displays the names of groups on the router and the security model, the status of the different views, and the storage type of each group. Below is an example of this command.

The “show snmp engineID” displays the identification of the local SNMP engine and all remote engines that have been configured on the router. The following example specifies 00000009020000000C025808 as the local engineID and 123456789ABCDEF000000000 as the remote engine ID, 171.69.37.61 as the IP address of the remote engine (copy of SNMP) and 162 as the port from which the remote device is connected to the local device:

Which three statements about the features of SNMPv2 and SNMPv3 are true? (Choose three)

A. SNMPv3 enhanced SNMPv2 security features*

B. SNMPv3 added the Inform protocol message to SNMP

C. SNMPv2 added the Inform protocol message to SNMP*

D. SNMPv3 added the GetBulk protocol messages to SNMP

E. SNMPv2 added the GetBulk protocol message to SNMP*

F. SNMPv2 added the GetNext protocol message to SNMP

Show (Hide) Explanation/Reference

SNMPv1/v2 can neither authenticate the source of a management message nor provide encryption. Without authentication, it is possible for nonauthorized users to exercise SNMP network management functions. It is also possible for nonauthorized users to eavesdrop on management information as it passes from managed systems to the management system. Because of these deficiencies, many SNMPv1/v2 implementations are limited to simply a read-only capability, reducing their utility to that of a network monitor; no network control applications can be supported. To correct the security deficiencies of SNMPv1/v2, SNMPv3 was issued as a set of Proposed Standards in January 1998. -> A is correct.

GetBulkRequest The GetBulkRequest message enables an SNMP manager to access large chunks of data. GetBulkRequest allows an agent to respond with as much information as will fit in the response PDU. Agents that cannot provide values for all variables in a list will send partial information. -> E is correct.

InformRequest The InformRequest message allows NMS stations to share trap information. (Traps are issued by SNMP agents when a device change occurs.) InformRequest messages are generally used between NMS stations, not between NMS stations and agents. -> C is correct.

Note: These two messages are carried over SNMPv3.

Which feature can you use to restrict SNMP queries to a specific OID tree?

A. server group

B. a community

C. a view record*

D. an access group

Show (Hide) Explanation/Reference

You can assign views to community strings to limit which MIB objects an SNMP manager can access. The syntax to create a view record is shown below: